Bug#612714: netfilter: fails to match state of IPv6 connections
Package: linux-2.6
Version: 2.6.32-30
Severity: normal
Tags: upstream ipv6
I tested this only by filtering bridged traffic.
How to repeat:
1. Set the IPv6 FORWARD default policy to DROP.
2. Add this rule:
ip6tables -A FORWARD -j ACCEPT
3. This way, the packets (neighbor discovery, ICMP ping ...) are not dropped.
4. We delete the previous rule and add this one:
ip6tables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
5. The IPv6 packets, which should be forwarded are now dropped.
For the record: if I test this with Lenny, the packets are forwarded if I match INVALID packets and accept them. In Squeeze even this doesn't seem to work.
-- Package-specific info:
** Version:
Linux version 2.6.32-5-amd64 (Debian 2.6.32-30) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Wed Jan 12 03:40:32 UTC 2011
** Command line:
BOOT_IMAGE=/boot/vmlinuz-2.6.32-5-amd64 root=UUID=588f1832-95bb-4ea9-983e-f7fd257ddf70 ro quiet
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
-- debconf information:
linux-image-2.6.32-5-amd64/postinst/ignoring-do-bootloader-2.6.32-5-amd64:
linux-image-2.6.32-5-amd64/postinst/depmod-error-initrd-2.6.32-5-amd64: false
linux-image-2.6.32-5-amd64/prerm/removing-running-kernel-2.6.32-5-amd64: true
linux-image-2.6.32-5-amd64/postinst/missing-firmware-2.6.32-5-amd64:
Reply to: